Re: draft-ietf-ipsec-udp-encaps-06 comments.
Jean-Francois Dive <jef@linuxbe.org> Wed, 11 June 2003 17:05 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA17421 for <ipsec-archive@lists.ietf.org>; Wed, 11 Jun 2003 13:05:33 -0400 (EDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA08861 Wed, 11 Jun 2003 11:06:43 -0400 (EDT)
Date: Wed, 11 Jun 2003 17:11:42 +0200
From: Jean-Francois Dive <jef@linuxbe.org>
To: Jean-Francois Dive <jef@linuxbe.org>
Cc: Ari Huttunen <Ari.Huttunen@f-secure.com>, ipsec@lists.tislabs.com
Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments.
Message-ID: <20030611151142.GG1043@gardafou.assamite.eu.org>
References: <20030611113650.GD1043@gardafou.assamite.eu.org> <3EE72FB1.1040507@f-secure.com> <20030611142538.GE1043@gardafou.assamite.eu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20030611142538.GE1043@gardafou.assamite.eu.org>
User-Agent: Mutt/1.5.3i
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On Wed, Jun 11, 2003 at 04:25:38PM +0200, Jean-Francois Dive wrote: > On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote: > > Jean-Francois Dive wrote: > > >Hi all, > > > > > >I am actually busy with implementing NAT-T in IKEv1 context and found > > >something which may have been > > >overlooked (or that i missed the discussion on this list). In section > > >3.1.2, the author talk about the > > >procedure to follow for udp encpasulated transport mode NAT decapsulation. > > >I totally agress with the first point (point (a)) but think the second > > >point (point (b)) is totally wrong and should never be implemented as > > >such: it is suggested that if we dont have the original source or > > >destination ip addresses, the TCP/UDP checksum of the packet should be > > >recomputed to match the NAT'ed ip pseudo header. This cant happen as it > > >would make corrupted packets appears as proper packets, the checksum > > >"mangling" > > >or update beeing right as a wrong checksum at the start would remain > > >wrong. The only proper way to deal with this would be to go with checksum > > >update when you have the information and no checksum at all if you dont > > >have the information. > > >Any comments ? > > > > You wouldn't use ESP without authentication, would you? In transport > > mode there's no chance that the packet contents accidentally changed > > if the packet is authenticated. It wouldn't pass authentication checking. > > consider the following: > - packet is xmt'ed from a station. > - hope trough a dodgy router which corrupt it. > - Go trough the the ipsec gateway, get UDPinESP'ed. > - Go trough a NAT gateway. > - Arrive in the ipsec gateway, the issue raise, the authenticated > content never changed on the path. ok, something slept away from my mind when coding this thing, we are in transport mode so this is hardly going to happen.... > > > > > > Ari > > > > -- > > I play it cool and dig all jive, > > that's the reason I stay alive. > > My motto as I live and learn, > > is dig and be dug in return. <Langston Hughes> > > > > Ari Huttunen phone: +358 9 2520 0700 > > Software Architect fax : +358 9 2520 5001 > > > > F-Secure Corporation http://www.F-Secure.com > > > > F(ully)-Secure products: Securing the Mobile Enterprise >
- Re: draft-ietf-ipsec-udp-encaps-06 comments. Ari Huttunen
- draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
- Re: draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
- Re: draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
- Re: draft-ietf-ipsec-udp-encaps-06 comments. Joshua Graessley